Hello,
syzbot has tested the proposed patch but the reproducer still triggered
crash:
assert "cmd != NULL" failed in pckbc.c
panic: kernel diagnostic assertion "cmd != NULL" failed:
file "/syzkaller/jobs/openbsd/kernel/sys/dev/ic/pckbc.c", line 793
Stopped at db_enter+0x18: addq $0x8,%rsp
TID PID UID PRFLAGS PFLAGS CPU COMMAND
*267967 96840 0 0 0x4000000 0K syz-executor.0
485362 87546 0 0x14000 0x200 1 reaper
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f9ccfd,ffffffff81f5bdb2,319,ffffffff81f79c01) at
__assert+0x2e sys/kern/subr_prf.c:159
pckbc_start(ffff800000026e00,1) at pckbc_start+0x2e3 sys/dev/ic/pckbc.c:793
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c3afce,2,0,1) at
pckbc_enqueue_cmd+0x25a sys/dev/ic/pckbc.c:923
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c3b370,42,ffff800020b38980)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd8069040a60,80045721,ffff800020c3b370,42,fffffd807f7c6900,ffff800020b38980)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd8073949900,80045721,ffff800020c3b370,ffff800020b38980) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b38980,ffff800020c3b498,ffff800020c3b500) at
sys_ioctl+0x5b8
syscall(ffff800020c3b570) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c3b570) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,96b4ff24010) at Xsyscall+0x128
end of kernel
end trace frame: 0x96e3493f560, count: 1
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
kernel diagnostic assertion "cmd != NULL" failed:
file "/syzkaller/jobs/openbsd/kernel/sys/dev/ic/pckbc.c", line 793
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:398
panic() at panic+0x15c sys/kern/subr_prf.c:212
__assert(ffffffff81f9ccfd,ffffffff81f5bdb2,319,ffffffff81f79c01) at
__assert+0x2e sys/kern/subr_prf.c:159
pckbc_start(ffff800000026e00,1) at pckbc_start+0x2e3 sys/dev/ic/pckbc.c:793
pckbc_enqueue_cmd(ffff800000026e00,1,ffff800020c3afce,2,0,1) at
pckbc_enqueue_cmd+0x25a sys/dev/ic/pckbc.c:923
pms_ioctl_mouse(ffff80000066c200,80045721,ffff800020c3b370,42,ffff800020b38980)
at
pms_ioctl_mouse+0x137
wsmouse_do_ioctl(ffff80000064dc00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmouse_do_ioctl+0x2e3 sys/dev/wscons/wsmouse.c:527
wsmousedoioctl(ffff80000064dc00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmousedoioctl+0x51 sys/dev/wscons/wsmouse.c:429
wsmux_do_ioctl(ffff800000026d00,80045721,ffff800020c3b370,42,ffff800020b38980)
at
wsmux_do_ioctl+0x5b3 sys/dev/wscons/wsmux.c:546
VOP_IOCTL(fffffd8069040a60,80045721,ffff800020c3b370,42,fffffd807f7c6900,ffff800020b38980)
at
VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
vn_ioctl(fffffd8073949900,80045721,ffff800020c3b370,ffff800020b38980) at
vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
sys_ioctl(ffff800020b38980,ffff800020c3b498,ffff800020c3b500) at
sys_ioctl+0x5b8
syscall(ffff800020c3b570) at syscall+0x552 mi_syscall
sys/sys/syscall_mi.h:99 [inline]
syscall(ffff800020c3b570) at syscall+0x552 sys/arch/amd64/amd64/trap.c:574
Xsyscall(6,0,ffffffffffffff39,0,3,96b4ff24010) at Xsyscall+0x128
end of kernel
end trace frame: 0x96e3493f560, count: -14
ddb{0}> show registers
rdi 0
rsi 0x1
rbp 0xffff800020c3add0
rbx 0xffff800020c3ae80
rdx 0xffff800020b38980
rcx 0
rax 0
r8 0xffffffff81749a43 kprintf+0x173
r9 0x1
r10 0x25
r11 0x1d7488c7b85750bb
r12 0x3000000008
r13 0xffff800020c3ade0
r14 0x100
r15 0x1
rip 0xffffffff819cfb88 db_enter+0x18
cs 0x8
rflags 0x246
rsp 0xffff800020c3adc0
ss 0x10
db_enter+0x18: addq $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.0) pid=267967 stat=onproc
flags process=0 proc=4000000<THREAD>
pri=65, usrpri=65, nice=20
forw=0xffffffffffffffff, list=0xffff800020b39790,0xffffffff8237e8f8
process=0xffff800020b8cd38 user=0xffff800020c36000,
vmspace=0xfffffd806e7e3710
estcpu=15, cpticks=1, pctcpu=0.0
user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
96840 480277 11819 0 2 0 syz-executor.0
*96840 267967 11819 0 7 0x4000000 syz-executor.0
97119 282975 61939 0 3 0x82 nanosleep syz-executor.1
11819 29973 61939 0 3 0x82 nanosleep syz-executor.0
61939 74852 3375 0 3 0x82 kqread syz-execprog
61939 185632 3375 0 3 0x4000082 nanosleep syz-execprog
61939 193769 3375 0 3 0x4000082 thrsleep syz-execprog
61939 27622 3375 0 3 0x4000082 thrsleep syz-execprog
61939 5699 3375 0 3 0x4000082 thrsleep syz-execprog
61939 273081 3375 0 3 0x4000082 thrsleep syz-execprog
61939 409223 3375 0 3 0x4000082 thrsleep syz-execprog
61939 320573 3375 0 3 0x4000082 thrsleep syz-execprog
61939 116697 3375 0 3 0x4000082 thrsleep syz-execprog
3375 99602 9298 0 3 0x10008a pause ksh
9298 358394 4203 0 3 0x92 select sshd
42589 58459 1 0 3 0x100083 ttyin getty
4203 35406 1 0 3 0x80 select sshd
27155 459921 69593 74 3 0x100092 bpf pflogd
69593 23145 1 0 3 0x80 netio pflogd
27175 252926 74933 73 3 0x100010 biowait syslogd
74933 391966 1 0 3 0x100082 netio syslogd
20905 36700 1 77 3 0x100090 poll dhclient
15965 159371 1 0 3 0x80 poll dhclient
19275 164034 0 0 2 0x14200 zerothread
32239 293791 0 0 3 0x14200 aiodoned aiodoned
99020 374153 0 0 3 0x14200 syncer update
66530 425822 0 0 3 0x14200 cleaner cleaner
87546 485362 0 0 7 0x14200 reaper
63500 9999 0 0 3 0x14200 pgdaemon pagedaemon
23659 240860 0 0 3 0x14200 bored crynlk
55257 321619 0 0 3 0x14200 bored crypto
67055 120672 0 0 3 0x40014200 acpi0 acpi0
55119 148343 0 0 3 0x40014200 idle1
95211 220052 0 0 3 0x14200 bored softnet
80690 167216 0 0 3 0x14200 bored systqmp
22512 426169 0 0 3 0x14200 bored systq
51405 331215 0 0 3 0x40014200 bored softclock
38186 20086 0 0 3 0x40014200 idle0
35573 369154 0 0 3 0x14200 bored smr
1 415048 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> show all locks
CPU 1:
exclusive mutex &(curpg)->mdpage.pv_mtx r = 0 (0xfffffd8006b196d8)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 mtx_enter_try+0x102
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 pmap_remove_ptes+0x22b pmap_remove_pv sys/arch/amd64/amd64/pmap.c:984
[inline]
#3 pmap_remove_ptes+0x22b sys/arch/amd64/amd64/pmap.c:1577
#4 pmap_do_remove+0x400 sys/arch/amd64/amd64/pmap.c:1785
#5 uvm_map_teardown+0x195 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:206
[inline]
#5 uvm_map_teardown+0x195 sys/uvm/uvm_map.c:2650
#6 uvmspace_free+0x86 sys/uvm/uvm_map.c:3519
#7 uvm_exit+0x29 sys/uvm/uvm_glue.c:297
#8 reaper+0x170 sys/kern/kern_exit.c:433
#9 proc_trampoline+0x1c
exclusive mutex &pmap->pm_mtx r = 0 (0xfffffd807f00abd8)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 mtx_enter_try+0x102
#2 mtx_enter+0x4b sys/kern/kern_lock.c:266
#3 pmap_do_remove+0x88 rcr3
sys/arch/amd64/compile/SYZKALLER/obj/machine/cpufunc.h:141 [inline]
#3 pmap_do_remove+0x88 pmap_map_ptes sys/arch/amd64/amd64/pmap.c:418
[inline]
#3 pmap_do_remove+0x88 sys/arch/amd64/amd64/pmap.c:1689
#4 uvm_map_teardown+0x195 uvm_map_addr_RBT_LEFT sys/uvm/uvm_map.h:206
[inline]
#4 uvm_map_teardown+0x195 sys/uvm/uvm_map.c:2650
#5 uvmspace_free+0x86 sys/uvm/uvm_map.c:3519
#6 uvm_exit+0x29 sys/uvm/uvm_glue.c:297
#7 reaper+0x170 sys/kern/kern_exit.c:433
#8 proc_trampoline+0x1c
Process 96840 (syz-executor.0) thread 0xffff800020b38980 (267967)
shared rwlock wsmuxlk r = 0 (0xffff800000026dd0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 wsmux_do_ioctl+0x521
#2 VOP_IOCTL+0x88 sys/kern/vfs_vops.c:290
#3 vn_ioctl+0xb6 sys/kern/vfs_vnops.c:512
#4 sys_ioctl+0x5b8
#5 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#5 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#6 Xsyscall+0x128
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff8234f1e0)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 syscall+0x43a mi_syscall sys/sys/syscall_mi.h:91 [inline]
#1 syscall+0x43a sys/arch/amd64/amd64/trap.c:574
#2 Xsyscall+0x128
Process 27175 (syslogd) thread 0xffff800020b85780 (252926)
exclusive rrwlock inode r = 0 (0xfffffd806eafdd58)
#0 witness_lock+0x52e sys/kern/subr_witness.c:1161
#1 rw_enter+0x46d sys/kern/kern_rwlock.c:306
#2 rrw_enter+0x4f sys/kern/kern_rwlock.c:435
#3 VOP_LOCK+0x4b sys/kern/vfs_vops.c:602
#4 vn_lock+0x6e sys/kern/vfs_vnops.c:549
#5 sys_fsync+0x114 sys/kern/vfs_syscalls.c:2793
#6 syscall+0x552 mi_syscall sys/sys/syscall_mi.h:99 [inline]
#6 syscall+0x552 sys/arch/amd64/amd64/trap.c:574
#7 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim Kern Lim
devbuf 9461 6395K 6395K 78643K 10548 0 0
pcb 25 9K 9K 78643K 73 0 0
rtable 105 3K 3K 78643K 201 0 0
ifaddr 38 10K 10K 78643K 39 0 0
counters 39 33K 33K 78643K 39 0 0
ioctlops 0 0K 4K 78643K 1469 0 0
mount 1 1K 1K 78643K 1 0 0
vnodes 1193 75K 75K 78643K 1212 0 0
UFS quota 1 32K 32K 78643K 1 0 0
UFS mount 5 36K 36K 78643K 5 0 0
shm 2 1K 1K 78643K 2 0 0
VM map 2 1K 1K 78643K 2 0 0
sem 2 0K 0K 78643K 2 0 0
dirhash 12 2K 2K 78643K 12 0 0
ACPI 1808 196K 290K 78643K 12628 0 0
file desc 5 13K 25K 78643K 50 0 0
proc 52 50K 83K 78643K 359 0 0
subproc 0 0K 1K 78643K 17 0 0
NFS srvsock 1 0K 0K 78643K 1 0 0
NFS daemon 1 16K 16K 78643K 1 0 0
in_multi 33 2K 2K 78643K 33 0 0
ether_multi 1 0K 0K 78643K 1 0 0
ISOFS mount 1 32K 32K 78643K 1 0 0
MSDOSFS mount 1 16K 16K 78643K 1 0 0
ttys 18 79K 79K 78643K 18 0 0
exec 0 0K 1K 78643K 230 0 0
pagedep 1 8K 8K 78643K 1 0 0
inodedep 1 32K 32K 78643K 1 0 0
newblk 1 0K 0K 78643K 1 0 0
VM swap 7 26K 26K 78643K 7 0 0
UVM amap 80 20K 20K 78643K 1240 0 0
UVM aobj 2 2K 2K 78643K 2 0 0
memdesc 1 4K 4K 78643K 1 0 0
crypto data 1 1K 1K 78643K 1 0 0
NDP 6 0K 0K 78643K 10 0 0
temp 55 2714K 2778K 78643K 3487 0 0
SYN cache 2 16K 16K 78643K 2 0 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg
Idle
arp 64 6 0 0 1 0 1 1 0
8 0
inpcbpl 280 43 0 37 1 0 1 1 0
8 0
plimitpl 152 20 0 12 1 0 1 1 0
8 0
plcache 128 20 0 0 1 0 1 1 0
8 0
rtentry 112 45 0 1 2 0 2 2 0
8 0
syncache 264 8 0 8 1 0 1 1 0
dino1pl 128 1491 0 64 47 0 47 47 0
8 0
ffsino 272 1491 0 64 96 0 96 96 0
8 0
nchpl 144 1746 0 103 62 1 61 61 0
8 0
uvmvnodes 72 1518 0 0 28 0 28 28 0
8 0
vnodes 200 1518 0 0 80 0 80 80 0
8 0
namei 1024 5235 0 5235 2 1 1 1 0
8 1
percpumem 16 30 0 0 1 0 1 1 0
8 0
scxspl 192 4789 0 4788 8 7 1 7 0
8 0
sigapl 432 271 0 256 3 0 3 3 0
8 1
futexpl 56 68 0 68 2 1 1 1 0
8 1
knotepl 112 107 0 90 1 0 1 1 0
8 0
kqueuepl 104 3 0 1 1 0 1 1 0
8 0
pipepl 112 226 0 207 2 1 1 1 0
8 0
fdescpl 488 272 0 256 5 2 3 3 0
8 0
filepl 152 1432 0 1364 4 1 3 3 0
8 0
lockfpl 104 48 0 46 2 1 1 1 0
8 0
lockfspl 48 14 0 13 2 1 1 1 0
8 0
sessionpl 112 27 0 16 1 0 1 1 0
8 0
pgrppl 48 27 0 16 1 0 1 1 0
8 0
ucredpl 96 73 0 64 1 0 1 1 0
8 0
zombiepl 144 256 0 255 2 1 1 1 0
8 0
processpl 840 287 0 255 4 0 4 4 0
8 0
procpl 600 323 0 282 5 1 4 4 0
8 0
sockpl 384 103 0 85 4 1 3 3 0
8 1
mcl4k 4096 3 0 0 1 0 1 1 0
8 0
mcl2k 2048 95 0 0 12 0 12 12 0
8 0
mtagpl 80 1 0 0 1 0 1 1 0
8 0
mbufpl 256 151 0 0 8 0 8 8 0
8 0
bufpl 256 6009 0 1188 302 0 302 302 0
8 0
anonpl 16 32421 0 30748 19 6 13 13 0
125 5
amapchunkpl 152 1204 0 1128 8 2 6 6 0
158 2
amappl16 192 256 0 217 3 1 2 2 0
8 0
amappl15 184 1 0 1 1 0 1 1 0
8 1
amappl14 176 63 0 58 2 1 1 1 0
8 0
amappl13 168 4 0 4 2 2 0 1 0
8 0
amappl12 160 28 0 25 1 0 1 1 0
8 0
amappl11 152 91 0 71 1 0 1 1 0
8 0
amappl10 144 108 0 103 1 0 1 1 0
8 0
amappl9 136 817 0 814 1 0 1 1 0
8 0
amappl8 128 170 0 160 1 0 1 1 0
8 0
amappl7 120 47 0 42 1 0 1 1 0
8 0
amappl6 112 94 0 86 1 0 1 1 0
8 0
amappl5 104 182 0 167 1 0 1 1 0
8 0
amappl4 96 503 0 481 1 0 1 1 0
8 0
amappl3 88 249 0 239 1 0 1 1 0
8 0
amappl2 80 1270 0 1192 4 1 3 3 0
8 1
amappl1 72 17422 0 16969 32 14 18 20 0
8 8
amappl 80 629 0 593 1 0 1 1 0
84 0
dma4096 4096 1 0 1 1 1 0 1 0
8 0
dma256 256 6 0 6 1 1 0 1 0
8 0
dma64 64 259 0 259 1 1 0 1 0
8 0
dma32 32 7 0 7 1 1 0 1 0
8 0
dma16 16 17 0 17 1 1 0 1 0
8 0
aobjpl 64 1 0 0 1 0 1 1 0
8 0
uaddrrnd 24 272 0 256 1 0 1 1 0
8 0
uaddrbest 32 2 0 0 1 0 1 1 0
8 0
uaddr 24 272 0 256 1 0 1 1 0
8 0
vmmpekpl 168 9021 0 8996 2 0 2 2 0
8 0
vmmpepl 168 40075 0 39019 93 16 77 78 0 357
29
vmsppl 360 271 0 255 2 0 2 2 0
8 0
pdppl 4096 551 0 510 7 1 6 6 0
8 0
pvpl 32 155188 0 151044 116 8 108 108 0 265
69
pmappl 232 271 0 255 2 0 2 2 0
8 1
extentpl 40 41 0 26 1 0 1 1 0
8 0
phpool 112 449 0 5 13 0 13 13 0
8 0
Tested on:
commit: c77fcae4 tmp debug
git tree:
https://github.com/mptre/openbsd-src
console output:
https://syzkaller.appspot.com/x/log.txt?x=129107bca00000